New in Microsoft AppSource: June 1-15, 2025
June 27, 2025Microsoft Intune data-driven management | Device Query & Copilot
June 27, 2025
AI is transforming how organizations work—but it’s also changing how data moves, who can access it, and how easily it can be exposed. Sensitive data now appears in AI prompts, Copilot responses, and across a growing ecosystem of SaaS and GenAI tools. To keep up, organizations need data security that’s built for how people work with AI today.
Microsoft Purview brings together native classification, visibility, protection and automated workflows across your data estate—all in one integrated platform.
Today, we’re highlighting some of our new capabilities that help you:
- Uncover data blind spots: Discover hidden risks and improve data security posture and find sensitive data on endpoints with on-demand classification
- Strengthen protection across data flows: Enhance oversharing controls for Microsoft 365 Copilot, expand protection to more Azure data sources, and extend data security to the network layer
- Respond faster with automation: Automate investigation workflows with Alert agents in Data Loss Prevention (DLP) and Insider Risk Management (IRM)
Discover hidden risks and improve data security posture
Many security teams struggle with fragmented tools that siloes sensitive data visibility across apps and clouds. According to recent studies, 21% of decision-makers cite the lack of unified visibility as a top barrier to effective data security. This leads to gaps in protection and inefficient incident response—ultimately weakening the organization’s overall data security posture.
To help organizations address these challenges, last November at Ignite we launched Microsoft Purview Data Security Posture Management (DSPM), and we’re excited to share that this capability is now available. DSPM continuously assesses your data estate, surfaces contextual insights into sensitive data and its usage, and recommends targeted controls to reduce risk and strengthen your data security program.
We’re also bringing in new signals from email exfiltration and from user activity in the browser and network into DSPM’s insights and policy recommendations, making sure organizations can improve their protections and address potential data security gaps.
You can now also experience deeper investigations into DSPM with 3x more suggested prompts, outcome-based promptbooks and new guidance experience that helps interpret unsupported user queries and offers helpful alternatives, increasing usability without hard stops.
New Security Copilot task-based promptbooks in Purview DSPM
Learn more about how DSPM can help your organization strengthen your data security posture.
Find sensitive data on endpoints with on-demand classification
Security teams often struggle to uncover sensitive data sitting for a long time on endpoints, one of the most overlooked and unmanaged surfaces in the data estate. Typically, data gets classified when a file is created, modified, or accessed. As a result, older data at rest that hasn’t been touched in a while can remain outside the scope of classification workflows. This lack of visibility increases the risk of exposure, especially for sensitive data that is not actively used or monitored.
To tackle this challenge, we are introducing on-demand classification for endpoints.
Coming to public preview in July, on-demand classification for endpoints gives security teams a targeted way to scan data at rest on Windows devices, without relying on file activity, to uncover sensitive files that have never been classified or reviewed.
This means you can:
- Discover sensitive data on endpoints, including older, unclassified data that may never have been scanned, giving admins visibility into unclassified files that typically fall outside traditional classification workflows
- Support audit and compliance efforts by identifying sensitive data
- Focus scans on specific users, file types, or timelines to get visibility that really matters
- Get insights needed to prioritize remediation or protection strategies
Security teams can define where or what to focus on by selecting specific users, file types, or last modified dates. This allows teams to prioritize scans for high-priority scenarios, like users handling sensitive data.
Because on-demand classification scans are manually triggered and scoped without complex configuration, organizations can get targeted visibility into sensitive data on endpoints with minimal performance impact and without the need for complex setup.
Complements just-in-time protection
On-demand classification for endpoints also works hand-in-hand with existing endpoint DLP capabilities like just-in-time (JIT) protection.
- JIT protection kicks in during file access, blocking or alerting based on real-time content evaluation
- On-demand classification works ahead of time, identifying sensitive data that hasn’t been modified or accessed in an extended period
Used together, they form a layered endpoint protection strategy, ensuring full visibility and protection.
Choosing the right tool
On-demand classification for endpoints is purpose-built for discovering sensitive data at rest on endpoints, especially files that haven’t been accessed or modified for a long time. It gives admins targeted visibility—no user action required.
If you’re looking to apply labels, enforce protection policies, or scan files stored on on-premises servers, the Microsoft Purview Information Protection Scanner may be a better fit. It is designed for ongoing policy enforcement and label application across your hybrid environment. Learn more here.
Get started with on-demand classification
On-demand classification is easy to set up, with no agents to install or complex rules to configure. It only runs when you choose, rather than continuously running in the background. You stay in control of when and where scans happen, making it a simple and efficient way to extend visibility to endpoints.
On-demand classification for endpoints enters public preview in July. Stay tuned for setup guidance and more details as we get closer to launch.
Streamlining technical issue resolution with always-on diagnostics for endpoint devices
Historically, resolving technical support tickets for Purview DLP required admins to manually collect logs and have end users reproduce the original issue at the time of the request. This could lead to delays, extended resolution times, and repeated communication cycles, especially for non-reproducible issues.
Today, we’re introducing a new way to capture and share endpoint diagnostics: Always-on diagnostics available in public preview. When submitting support requests for Purview endpoint DLP, customers can now share rich diagnostic data with Microsoft without needing to recreate the issue scenario again at the time of submitting an investigation request such as a support ticket. This capability can now be enabled through your endpoint DLP settings. Learn more about always-on diagnostics here.
Strengthening DLP for Microsoft 365 Copilot
As organizations adopt Microsoft 365 Copilot, DLP plays a critical role in minimizing the risk of sensitive data exposure through AI. New enhancements give security teams greater control, visibility, and flexibility when protecting sensitive content in Copilot scenarios.
Expanded protection to labeled emails
DLP for Microsoft 365 Copilot now supports labeled email, available today, in addition to files in SharePoint and OneDrive. This helps prevent sensitive emails from being processed by Copilot and used as grounding data. This capability is applicable to emails sent after 1/1/2025.
Alerts and investigations for Copilot access attempts
Security teams can now configure DLP alerts for Microsoft 365 Copilot activity, surfacing attempts to access emails or files with sensitivity labels that match DLP policies. Alert reports include key details like user identity, policy match, and file name, enabling admins to quickly assess what happened, determine if further investigation is needed, and take appropriate follow-up actions. Admins can also choose to notify users directly, reinforcing responsible data use. The rollout will start on June 30 and is expected to be completed by the end of July.
Simulation mode for Copilot DLP policies
As part of the rollout starting on June 30, simulation mode lets admins test Copilot-specific DLP policies before enforcement. By previewing matches without impacting users, security teams can fine-tune rules, reduce false positives, and deploy policies with greater confidence.
Learn more about DLP for Microsoft 365 Copilot here.
Extended protection to more Azure data sources
AI development is only as secure as the data that feeds it. That’s why Microsoft Purview Information Protection is expanding its auto-labeling capabilities to cover more Azure data sources.
Now in public preview, security teams can automatically apply sensitivity labels to additional Azure data sources, including Azure Cosmos DB, PostgreSQL, KustoDB, MySQL, Azure Files, Azure Databricks, Azure SQL Managed Instances, and Azure Synapse.
These additions build on existing coverage for Azure Blob Storage, Azure Data Lake Storage, and Azure SQL Database. These sources commonly fuel analytics pipelines and AI training workloads. With auto-labeling extended to more high-value data sources, sensitivity labels are applied to the data before it’s copied, shared, or integrated into downstream systems. These labels help enforce protection policies and limit unauthorized access to ensure sensitive data is handled appropriately across apps and AI workflows.
Secure your AI training data, learn how to set up auto-labeling here.
Extending data security to the network layer
With more sensitive data moving through unmanaged SaaS apps and personal AI tools, your network is now a critical security surface.
Earlier this year, we announced the introduction of Purview data security controls for the network layer. With inline data discovery for the network, organizations can detect sensitive data that’s outside of the trusted boundaries of the organization, such as unmanaged SaaS apps and cloud services.
This helps admins understand how sensitive data can be intentionally or inadvertently exfiltrated to personal instances of apps, unsanctioned GenAI apps, cloud storage boxes, and more. This capability is now available in public preview — learn more here.
Visibility of sensitive data sent through the network also includes insights into how users may be sharing data in risky ways. User activities such as file uploads or AI prompt submissions are captured in Insider Risk Management to formulate richer and comprehensive profiles of user risk. In turn, these signals will also better contextualize future data interactions and enrich policy verdicts. These user risk indicators will become available in the coming weeks.
Automate investigation workflows with Alert Triage Agents in DLP and IRM
Security teams today face a high volume of alerts, often spending hours sorting through false positives and low priority flags to find threats that matter. To help security teams focus on what’s truly high risk, we’re excited to share that the Alert Triage Agents in Microsoft Purview Data Loss Prevention (DLP) and Insider Risk Management (IRM) are now available in public preview.
These autonomous, Security Copilot-powered agents prioritize alerts that pose the greatest risk to organizations. Whether it’s identifying high-impact exfiltration attempts in DLP or surfacing potential insider threats in IRM, the agents analyze both content and intent to deliver transparent, explainable findings.
Built to learn and improve from user feedback, these agents not only accelerate investigations, but also improve over time, empowering teams to prioritize real threats, reduce time spent on false positives, and adapt to evolving risks through feedback. Watch the new Mechanics video, or learn more about how to get started here.
A unified approach to modern data security
Disjointed security tools create gaps and increase operational overhead. Microsoft Purview offers a unified data security platform designed to keep pace with how your organization works with AI today.
From endpoints visibility to automated security workflows, Purview unifies data security across your estate, giving you one platform for end-to-end data security.
As your data estate grows and AI reshapes the way you work, Purview helps you stay ahead—so you can scale securely, reduce risk, and unlock the full productivity potential of AI with confidence.
Ready to unify your data security into one integrated platform? Try Microsoft Purview free for 90 days.